Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
2
Replies

DMZ Configuration

sgoethals1
Level 1
Level 1

‎12-17-2008 01:46 PM - edited ‎03-11-2019 07:27 AM

I am trying to setup a dmz and I am running into problems. I setup a windows server in the dmz thinking I would be able to ping it or at least access the fileshare. No luck. (No I won't do this in a production environment) I am new at setting up a dmz and want to get the hang of how things will work. The ASA I am working with is currently in a test environment.

The quick startup guide for the Cisco ASA appliance suggests doing the following.

DMZ = 10.30.30.0 /24

internal = 192.168.0.0 /24

global (dmz) 50 10.30.30.10-10.30.30.30 netmask 255.255.255.0

nat (inside) 50 192.168.0.0 255.255.255.0

I then put a windows machine in the DMZ and configured it with an IP of 10.30.30.50.

What I have found is I get no xlate, and I can't access the server via ping or the file share.

I have seen some references on this forum recommend

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Any suggestions...thanks

Labels:
0 Helpful
2 Replies 2

ajagadee
Cisco Employee
Cisco Employee

‎12-17-2008 02:39 PM

In the above case, Static is a better route to take since the packets are between the Inside and DMZ.

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

In the above case, any 192.168.0.0/24 traffic going to the DMZ will get translated to 192.168.0.0/24. So the DMZ network will see the inside network as 192.168.0.0/24. And if the DMZ is going to initiate the traffic to inside destined for 192.168.0.0/24, make sure the ACL applied on the DMZ permits this traffic.

Regards,

Arul

*Pls rate if it helps*

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to ajagadee

‎12-17-2008 03:24 PM

In addition you can do a nonat exempt acl instead towards either direction if you intend to

simply NAT excempt both networks dmz and inside .

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.30.30.0 255.255.255.0

access-list nonat extended permit ip 10.30.30.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (dmz) 0 access-list nonat

Best is to reference this link to understand NAT in firewalls

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Regards

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card